Researchers have uncovered a new malware tool used by the DragonForce ransomware group that hides command-and-control (C&C) communications inside Microsoft Teams infrastructure. The malware, named Backdoor.Turn, is believed to be the first known malware observed in real-world attacks abusing Microsoft Teams TURN relay servers for stealthy communications.
“To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn,” Symantec said.
DragonForce, a ransomware operation active since at least 2023 and linked to the Scattered Spider group, deployed the custom Go-based remote access trojan (RAT) during an attack against a major US services company.
Backdoor.Turn exploits the Traversal Using Relays around NAT (TURN) protocol, which Microsoft Teams uses to relay traffic when direct connections are unavailable. The malware obtains an anonymous Teams visitor token, connects through a legitimate Microsoft TURN relay server, and then establishes communication with the attacker’s C&C infrastructure. Because the traffic appears to be associated with Microsoft Teams, it can blend into trusted network activity and evade detection.
The attack, observed in December 2025, likely began with the exploitation of an unknown vulnerability in an SQL or Microsoft SQL Server environment. After gaining access, the attackers downloaded a ZIP archive containing legitimate VirtualBox and DbgView executables, as well as a malicious DLL used for sideloading.
The threat actors then established persistence by creating unauthorized user accounts, modifying firewall rules, and abusing Windows' LimitBlankPassword policy. The threat actor used multiple vulnerable drivers in a Bring Your Own Vulnerable Driver (BYOVD) campaign, including Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys, Tower of Fantasy GameDriverx64.sys, and K7 Security K7RKScan.sys to disable security tools and gain kernel-level privileges.
Symantec researchers also observed ABYSSWORKER, a custom malicious driver disguised as a legitimate Palo Alto Networks driver. Backdoor.Turn was injected into DbgView64.exe, suggesting it may have been intended to maintain long-term access to the compromised environment.
The malware supports a wide range of capabilities, including command execution, process creation, network scanning, Active Directory enumeration, TLS certificate collection, website title harvesting, and browser credential theft.
After completing reconnaissance and data theft operations, the attackers deployed DragonForce ransomware and encrypted the victim’s systems.